Securing Web Services – Research

I’ve been looking for a few hours now for a “quick and easy” solution at securing the Dokeos web services, but I have still to go through a whole lot of technical details. Looking for help (at avoiding so much reading work), I have sent an e-mail to the php-general mailing-list, hoping for an answer.

Because this e-mail is the result of considerable search efforts, I’m saving it here. Somehow it might very well help somebody trying to do the same…

From:     Yannick Warnier
To:     PHP General
Subject:     [PHP] Securing web services
Date:     Sun, 22 Feb 2009 13:04:37 -0500

Hi there,

Another Web Service related question. Obviously, Google gives me enough
hints to find *many* documents on the topic (searching for “securing web
services”), but I am developing open-source soft and I’d like to secure
my web services to the maximum without forcing the user to use HTTPS/SSL
(the generation of buying of a certificate is not what our lambda users
can do).

Following the very nice table on page 32 of
using a combination of XML Encryption and XML Signature would provide a
cover for almost all security risks related to providing web services.

This article:
also goes away from the SSL method and *talks* about XML-DSIG and
WS-Security, but that’s out of PHP context.

Finally, the following article talks about NuSOAP and the SetCredentials
method, which is probably the closest I can get to secure web services
using existing PHP code.

Would anybody out here have gotten further and be able to tell me how
they did it?



Interesting links on this topic:

(with links to and